3

I'm setting up an wireless AP with OpenWRT to support dynamic vlan's, provided by a RADIUS server.

I found a guide on OpenWRT.org which I followed, and with some extra research I'm almost there. The only thing not working is the dynamic vlan assignment. And I can't figure out why.

I'm running 15.05 chaos calmer on a TP-link Archer C7 in 'ap' mode. Firewall and DHCP are turned off, as they are provided by the network.

I can authenticate with the RADIUS server and login to both my internal and guest network if I manually bridge the SSID to the desired VLAN. Dynamic VLANs are not working though. FreeRadius is correctly transmitting the Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID; as checked with wireshark. I'm not sure, but I think it might have something to do with hostapd not getting the right settings.

Any help would be greatly appreciated

My /etc/config/wireless looks as follows:

config wifi-iface
    option device   'radio1'
    option mode     'ap'
    option ssid     'WTD_Test_Rad'
    option encryption 'wpa2'
    option server   '172.16.20.105'
    option key      'RadiusSecret'
    option dynamic_vlan '2'
    option vlan_tagged_interface 'eth1'
    option vlan_naming 0
    option vlan_bridge 'br-vlan'

but I cannot find these vlan settings in the hostapd config file: /var/run/hostapd-phy1.conf

interface=wlan1
ctrl_interface=/var/run/hostapd
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_server_addr=172.16.20.105
auth_server_port=1812
auth_server_shared_secret=RadiusSecret@WalkingTheDog
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=WTD_Test_Rad
wpa_key_mgmt=WPA-EAP
okc=0
disable_pmksa_caching=1
bssid=60:e3:27:58:3a:8d

The hostapd -dd shows receiving the right AVP's but doesn't seem to care about any of it.

wlan1: RADIUS Received 195 bytes from RADIUS server
wlan1: RADIUS Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=79 length=195
   Attribute 79 (EAP-Message) length=6
      Value: 03f50004
   Attribute 80 (Message-Authenticator) length=18
      Value: d544a5f47ae84b9716fd76fb447a54e7
   Attribute 1 (User-Name) length=10
      Value: 'Mdirickx'
   Attribute 64 (Tunnel-Type) length=6
      Value: 0000000d
   Attribute 65 (Tunnel-Medium-Type) length=6
      Value: 00000006
   Attribute 81 (Tunnel-Private-Group-Id) length=3
      Value: 32
   Attribute 1 (User-Name) length=10
      Value: 'Mdirickx'
wlan1: STA 40:78:6a:53:eb:fb RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: old identity 'Mdirickx' updated with User-Name from Access-Accept 'Mdirickx'
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: decapsulated EAP packet (code=3 id=245 len=4) from RADIUS server: EAP Success
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: Sending EAP Packet (identifier 245)
wlan1: STA 40:78:6a:53:eb:fb WPA: sending 1/4 msg of 4-Way Handshake
wlan1: STA 40:78:6a:53:eb:fb WPA: received EAPOL-Key frame (2/4 Pairwise)
wlan1: STA 40:78:6a:53:eb:fb WPA: sending 3/4 msg of 4-Way Handshake
wlan1: STA 40:78:6a:53:eb:fb WPA: received EAPOL-Key frame (4/4 Pairwise)
wlan1: STA 40:78:6a:53:eb:fb WPA: pairwise key handshake completed (RSN)
wlan1: AP-STA-CONNECTED 40:78:6a:53:eb:fb
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: authorizing port
wlan1: STA 40:78:6a:53:eb:fb RADIUS: starting accounting session 56EC0FBB-00000004
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: authenticated - EAP type: 25 (PEAP)

4 Answers4

2

I'd make a comment instead of an answer but I don't have enough reputation here for that. I literally wrote the HOWTO you linked to in your OP on using 802.1x Dynamic VLANs in OpenWRT as well as figured out and submitted the patches to get them working.

Some of what you're saying doesn't seem to make sense. In particular that option dynamic_vlan '1' works but option dynamic_vlan '2' doesn't even show up in the hostapd configuration file shouldn't be the case. The OpenWRT script which reads your /etc/config/wireless file and translates it into the hostapd config file just looks for the dynamic_vlan option and if it's there and has an integer value puts it into the hostapd file so if 1 shows up in the hostapd file, 2 should as well. Please check to see if it's showing up in your hostapd config file when you set dynamic_vlan to 1. That will give some more information to work with.

Ben Franske
  • 511
  • 2
  • 10
0

Quiet an old question, but the answer is not yet easy over web search. The How-to Guide helped me to narrow down the concept of working. Here is the last config for that worked for me..

1st of all, I'm on version OpenWRT 21.02.1 over the device EAP225v3.

  1. Remove wpad-basic* package and install wpad.
  2. The default hostapd have a problem of "Malformed Radius Packet" for working with WPA-EAP setup. Correct file /lib/netifd/hostapd.sh with help of GitCommit. And restart hostapd or reboot device.
  3. This is a sample for each VLAN within /etc/config/network
config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '172'
        option name 'br-lan.172'

config device
        option type 'bridge'
        option name 'br-vlan172'
        list ports 'br-lan.172'
        list ports 'eth0'

config interface 'Guests'
        option proto 'none'
        option device 'br-vlan172'
  1. And last, create an Wireless iface, like:
config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'test-ssid'
        option encryption 'wpa2'
        option auth_server '192.168.2.5'
        option auth_port '1812'
        option auth_secret '123456'
        option acct_server '192.168.2.5'
        option acct_port '1813'
        option acct_secret '123456'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'br-lan'
        option vlan_bridge 'br-vlan'
        option vlan_naming '0'
amlanhldr
  • 11
  • 3
0
config wifi-iface
    option dynamic_vlan '2'

did not seem to work, once altered to

config wifi-iface
    option dynamic_vlan '1'

everything worked as it should.

This does pose a security risk.

0

I think not everything worked as it should. You are just automatically falling back to NO dynamic vlan (or option dynamic_vlan '0'). Perhaps your hostapd, doesn't support dynamic vlans (like if you are using hostapd-mini or hostapd-common). You should install the full version

opkg install hostapd

See more details here:

hostapd.sh

473183469
  • 1,350
  • 1
  • 12
  • 23
flo
  • 1
  • Hi Flo, thanks for the follow up. I've just checked to be sure that hostapd is indeed installed correctly and not just hostapd-common; it is. But that's a nice script though. – Frank Vermeulen Jan 25 '17 at 14:38
  • I actually think there is an implementation issue with the version I'm using: if I enter "dynamic_vlan 0" the property shows up in the running config /var/run/hostapd-phy1.conf. The same thing happens when I enter "dynamic_vlan 1". But as soon as I set it to "dynamic_vlan 2" the setting disappears in the running config. The same thing happens with 3, 4, aemlkjsdf and so on. I guess the value '2' is somewhere somehow not recognized by the Lua script. – Frank Vermeulen Jan 25 '17 at 14:41